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1 . A method of detecting a computer virus that attempts to gain access to 
restricted computer system resources, comprising: 

emulating computer executable code in a subject file; and 
5 monitoring the emulation of the computer executable code and monitoring a 

memory state of the computer system for modifications caused by the emulated 
instructions in the computer executable code, to detect an attempt by the emulated code 
to access one or more of the restricted computer system resources. 

10 2. The method of claim 1 , wherein monitoring the emulation includes detecting 

installation of a new exception handler followed by forcing of a corresponding exception. 

3 . The method of claim 1 , wherein monitoring the emulation includes detecting 
writing of a new pointer to at least one predetermined address in system memory for 

1 5 storing an exception handler pointer. 

4. The method of claim 1 , wherein monitoring the emulation includes detecting 
installation, in system memory, of a new pointer to an exception handler. 

20 5. The method of claim 1, wherein monitoring the emulation includes detecting 

installation of a new interrupt handler followed by forcing of a corresponding interrupt. 

6. The method of claim 1 , wherein monitoring the emulation includes detecting 
writing of a new pointer to at least one predetermined address in system memory for 

25 storing an interrupt handler pointer. 

7. The method of claim 1 , wherein monitoring the emulation includes detecting 
use of a predetermined instruction to retrieve an address in system memory 
corresponding to an interrupt descriptor table. 

30 

8. A program storage device readable by a machine, tangibly embodying a 
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program of instructions executable by the machine to perform method steps for detecting 
a computer virus that attempts to gain access to restricted computer system resources, the 
method steps comprising: 

emulating computer executable code in a subject file; and 
5 monitoring the emulation of the computer executable code and monitoring a 

memory state of the computer system for modifications caused by the emulated 
instructions in the computer executable code, to detect an attempt by the emulated code 
to access one or more of the restricted computer system resources. 

10 9. A computer system, comprising: 

a processor; and 

a program storage device readable by the computer system, tangibly embodying 
a program of instructions executable by the processor to perform method steps for 
detecting a computer virus that attempts to gain access to restricted computer system 
1 5 resources, the method steps comprising: 

emulating computer executable code in a subject file; and 
monitoring the emulation of the computer executable code and monitoring 
a memory state of the computer system for modifications caused by the emulated 
instructions in the computer executable code, to detect an attempt by the emulated code 
20 to access one or more of the restricted computer system resources. 

10. A computer data signal embodied in a transmission medium which embodies 
a program of instructions executable by a computer for detecting a computer virus that 
attempts to gain access to restricted computer system resources, comprising: 

25 a first segment including emulation code to emulate computer executable code 

in a subject file; and 

a second segment including monitor code to monitor emulation of the computer 
executable code and monitoring a memory state of the computer system for modifications 
caused by the emulated instructions in the computer executable code; and 

30 a third segment including detector code to detect an attempt by the emulated code 

to access one or more of the restricted computer system resources. 
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11. An apparatus for detecting computer viruses that attempt to gain access to 
restricted computer system resources, comprising: 

an emulator component, wherein the emulator component emulates computer 
executable code in a subject file; 
5 a monitor component, wherein the monitor emulation of the computer executable 

code and monitoring a memory state of the computer system for modifications caused 
by the emulated instructions in the computer executable code, and supplies information 
regarding the emulated code and modification of the memory state; and 

a detector component, wherein the detector component, based on the information 
10 supplied by the monitor component regarding the emulated code execution and 

modification of memory state by the emulated code execution, detects an attempt by the 
emulated code to access one or more of the restricted computer system resources. 

1 2. The apparatus of claim 1 1, wherein the monitor component monitors system 
1 5 memory. 

13. The apparatus of claim 11, wherein the detector component detects 
installation of a new exception handler. 

20 14. The apparatus of claim 13, wherein after the detector component detects 

installation of a new exception handler, the detector component monitors code execution 
to detect forcing of a corresponding exception. 

15. The apparatus of claim 11, wherein the detector component detects writing 
25 of a new pointer to at least one predetermined address in system memory for storing an 

exception handler pointer. 

16. The apparatus of claim 11, wherein the detector component detects 
installation of a new interrupt handler. 

30 

17. The apparatus of claim 16, wherein after the detector component detects 
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installation of a new interrupt handler, the detector component monitors code execution 
to detect forcing of a corresponding interrupt. 

1 8 . The apparatus of claim 1 1 , wherein the detector component detects writing 
of a new pointer to at least one predetermined address in system memory for storing an 
interrupt handler pointer. 

19. The apparatus of claim 11, wherein the monitor component detects use of 
a predetermined instruction to retrieve an address in system memory corresponding to 
an interrupt descriptor table. 
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